Cloud Management Gateway for Azure AD Hybrid Joined Windows 10 Workstations

Brass Contributor

I have my CMG setup and a handful of Azure AD Hybrid Joined Windows 10 Workstations (1809 and 1903) are getting a Client Setting to use the CMG. My servers and my clients are 1902 and I have Enhanced HTTP enabled. I used a third party certificate from a public and globally trusted certificate provider for the CMG server authentication certificate.

 

However, once my workstations try to use the CMG, things go downhill fast. Software Center loads with a blank window. After about five or ten minutes, it loads my customized settings but no content.

 

I'm not great with ConfigMgr logs but ADALOperationProvider.log on the endpoint comes up with "Getting AAD (device) token" with the client ID, ResourceURL, and AccountID every so often but I don't see any errors.

 

LocationServices.log does a lot of this:

 

Ignoring MP error during post-rotation flush period of 20 seconds. LocationServices 8/9/2019 10:44:28 AM 9416 (0x24C8)

0 internet MP errors in the last 10 minutes, threshold is 5. LocationServices 8/9/2019 10:44:28 AM 9416 (0x24C8)

1 internet MP errors in the last 10 minutes, threshold is 5. LocationServices 8/9/2019 11:00:28 AM 4744 (0x1288)

2 internet MP errors in the last 10 minutes, threshold is 5. LocationServices 8/9/2019 11:00:28 AM 212 (0x00D4)

3 internet MP errors in the last 10 minutes, threshold is 5. LocationServices 8/9/2019 11:00:28 AM 212 (0x00D4)

4 internet MP errors in the last 10 minutes, threshold is 5. LocationServices 8/9/2019 11:00:29 AM 212 (0x00D4)

Internet MP error threshold reached, moving to next MP. LocationServices 8/9/2019 11:00:29 AM 4280 (0x10B8)

Ignoring MP error during post-rotation flush period of 20 seconds. LocationServices 8/9/2019 11:00:29 AM 212 (0x00D4)

0 internet MP errors in the last 10 minutes, threshold is 5. LocationServices 8/9/2019 11:00:29 AM 212 (0x00D4)

 

but if I scroll up enough in the log I do find an error "Failed to get client certificate for transportation. Error 0x87d00281" from around when I powered on the workstation.

 

If I use the Cloud management Gateway connection analyzer with an Azure AD user sign in, it fails on the "Testing the CMG channel for management point: 'thenameoftheMP'" step with the following error:

 

Failed to get ConfigMgr token with Azure AD token. Status code is '401' and status description is 'CMGConnector_Unauthorized'.

 

A possible reason for this failure is the CMG connection point failed to forward the message to the management point. The management point returned the following error: 'Unauthorized'.

 

If I use a Client certificate instead, the PFX I used to create the CMG, it has a failure on two steps.

 

"Check configuration settings of the CMG service is up to date" has an error of "Configuration version of the CMG service should be 2. Failed to get CMG service metadata. For more information, see SmsAdminUI.log."

 

The step "Testing the CMG channel for management point: 'thenameoftheMP'" gives me a new error, "Failed to refresh MP location. Selected client certificate is not trusted by the CMG service. Check if certificate chain for the client certificate is specified to upload to the CMG service and check revocation check setting."

 

My Azure AD User discovery is happily chugging along and my Windows 10 workstations in question are successfully Azure AD Hybrid Joined.

 

Any ideas on where I messed up? I followed the instructions at https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/setup-cloud-management-gateway which were pretty good and easy to follow.

 

Does my CMG connection point need to be Azure AD Hybrid Joined in order to use Azure AD for client authentication?  My CMG connection point is installed on a 2012 R2 non-Azure AD Hybrid Joined server slated for upgrade to 2019 later this year. My MP and SUP are on the same server.

2 Replies

@Kirk Francis Did you ever get an answer to this?  I am running into almost the exact same issues down to a T

@pembertj Yes!  It was our own darn fault.  Years ago, we had put an IIS redirect to direct users to a "prettier" CNAME for the Application Catalog's URL.

Once we removed the Application Catalog roles in favor of using only Software Center, we removed the IIS redirect and our CMG started working great.  Just in time for "work from home".

 

Hopefully, you have as simple a fix.  I just hope it doesn't take you a month or two to track it down like it took me!

 

Good luck!